jwt_sessions 3.0.1 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +11 -11
- data/lib/jwt_sessions/store_adapters/redis_store_adapter.rb +2 -1
- data/lib/jwt_sessions/version.rb +1 -1
- data/lib/jwt_sessions.rb +3 -1
- data/test/units/jwt_sessions/test_access_token.rb +1 -1
- data/test/units/jwt_sessions/test_refresh_token.rb +1 -1
- data/test/units/jwt_sessions/test_session.rb +11 -1
- data/test/units/jwt_sessions/test_token.rb +6 -6
- data/test/units/test_jwt_sessions.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e1264eae87a9f5dc03028ee842e83da499f4d9d3f819d10b676f1bcde974cc2a
|
|
4
|
+
data.tar.gz: a29d5d6d8a07d24f275072536c7cd912e041aeec6d4c9392eeebf30b9c6337a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4abc1c449bd2692b00797c42c235d52dd4f67e30176e77d04da79a29fd5828ee73696908745ce8432af2cc8514523b24d4128158822ce412f2e9d6092550ad91
|
|
7
|
+
data.tar.gz: 6b7006560ab05859b51c9add771f029b68c0f09a391fe576c47b6e97ba72b1bdbabb8c787262a07553962e24bdccb2148c2bf960f614af56e497f8c18e9a4c7a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
## 3.1.1 (May 6, 2023)
|
|
2
|
+
|
|
3
|
+
Bugfixes:
|
|
4
|
+
|
|
5
|
+
- fix bug with flushing empty refresh tokens (Unsupported command argument type: NilClass (TypeError))
|
|
6
|
+
|
|
7
|
+
## 3.1.0 (February 18, 2023)
|
|
8
|
+
|
|
9
|
+
Features:
|
|
10
|
+
|
|
11
|
+
- rename `encryption_key=` to `signing_key=` (keep the alias for backward compatibility)
|
|
12
|
+
|
|
1
13
|
## 3.0.1 (December 28, 2022)
|
|
2
14
|
|
|
3
15
|
Support:
|
data/README.md
CHANGED
|
@@ -60,10 +60,10 @@ bundle install
|
|
|
60
60
|
|
|
61
61
|
## Getting Started
|
|
62
62
|
|
|
63
|
-
You should configure an
|
|
63
|
+
You should configure an algorithm and specify the signing key. By default the gem uses the `HS256` signing algorithm.
|
|
64
64
|
|
|
65
65
|
```ruby
|
|
66
|
-
JWTSessions.
|
|
66
|
+
JWTSessions.signing_key = "secret"
|
|
67
67
|
```
|
|
68
68
|
|
|
69
69
|
`Authorization` mixin provides helper methods which are used to retrieve the access and refresh tokens from incoming requests and verify the CSRF token if needed. It assumes that a token can be found either in a cookie or in a header (cookie and header names are configurable). It tries to retrieve the token from headers first and then from cookies (CSRF check included) if the header check fails.
|
|
@@ -119,7 +119,7 @@ Available `JWTSessions::Session.new` options:
|
|
|
119
119
|
|
|
120
120
|
- **payload**: a hash object with session data which will be included into an access token payload. Default is an empty hash.
|
|
121
121
|
- **refresh_payload**: a hash object with session data which will be included into a refresh token payload. Default is the value of the access payload.
|
|
122
|
-
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{ aud
|
|
122
|
+
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{ "aud" => ["admin"], "verify_aud" => true }` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
|
|
123
123
|
- **refresh_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the refresh token payload.
|
|
124
124
|
- **namespace**: a string object which helps to group sessions by a custom criteria. For example, sessions can be grouped by user ID, making it possible to logout the user from all devices. More info [Sessions Namespace](#sessions-namespace).
|
|
125
125
|
- **refresh_by_access_allowed**: a boolean value. Default is false. It links access and refresh tokens (adds refresh token ID to access payload), making it possible to perform a session refresh by the last expired access token. See [Refresh with access token](#refresh-with-access-token).
|
|
@@ -152,15 +152,15 @@ class ApplicationController < ActionController::API
|
|
|
152
152
|
end
|
|
153
153
|
```
|
|
154
154
|
|
|
155
|
-
Specify
|
|
155
|
+
Specify a signing key for JSON Web Tokens in `config/initializers/jwt_session.rb` \
|
|
156
156
|
It is advisable to store the key itself in a secure way, f.e. within app credentials.
|
|
157
157
|
|
|
158
158
|
```ruby
|
|
159
159
|
JWTSessions.algorithm = "HS256"
|
|
160
|
-
JWTSessions.
|
|
160
|
+
JWTSessions.signing_key = Rails.application.credentials.secret_jwt_signing_key
|
|
161
161
|
```
|
|
162
162
|
|
|
163
|
-
Most of the
|
|
163
|
+
Most of the algorithms require private and public keys to sign a token. However, HMAC requires only a single key and you can use the `signing_key` shortcut to sign the token. For other algorithms you must specify private and public keys separately.
|
|
164
164
|
|
|
165
165
|
```ruby
|
|
166
166
|
JWTSessions.algorithm = "RS256"
|
|
@@ -294,7 +294,7 @@ require "sinatra/base"
|
|
|
294
294
|
JWTSessions.access_header = "authorization"
|
|
295
295
|
JWTSessions.refresh_header = "x_refresh_token"
|
|
296
296
|
JWTSessions.csrf_header = "x_csrf_token"
|
|
297
|
-
JWTSessions.
|
|
297
|
+
JWTSessions.signing_key = "secret key"
|
|
298
298
|
|
|
299
299
|
class SimpleApp < Sinatra::Base
|
|
300
300
|
include JWTSessions::Authorization
|
|
@@ -395,7 +395,7 @@ JWTSessions.algorithm = "HS256"
|
|
|
395
395
|
You need to specify a secret to use for HMAC as this setting does not have a default value.
|
|
396
396
|
|
|
397
397
|
```ruby
|
|
398
|
-
JWTSessions.
|
|
398
|
+
JWTSessions.signing_key = "secret"
|
|
399
399
|
```
|
|
400
400
|
|
|
401
401
|
If you are using another algorithm like RSA/ECDSA/EDDSA you should specify private and public keys.
|
|
@@ -426,9 +426,9 @@ class UsersController < ApplicationController
|
|
|
426
426
|
|
|
427
427
|
def token_claims
|
|
428
428
|
{
|
|
429
|
-
aud
|
|
430
|
-
verify_aud
|
|
431
|
-
exp_leeway
|
|
429
|
+
"aud" => ["admin", "staff"],
|
|
430
|
+
"verify_aud" => true, # can be used locally instead of a global setting
|
|
431
|
+
"exp_leeway" => 15 # will be used instead of default leeway only for exp claim
|
|
432
432
|
}
|
|
433
433
|
end
|
|
434
434
|
end
|
|
@@ -78,7 +78,8 @@ module JWTSessions
|
|
|
78
78
|
# to be able to properly initialize namespaced tokens extract their namespaces
|
|
79
79
|
# and pass down to fetch_refresh
|
|
80
80
|
token_namespace = namespace.to_s.empty? ? namespace_from_key(key) : namespace
|
|
81
|
-
|
|
81
|
+
token_attrs = fetch_refresh(uid, token_namespace)
|
|
82
|
+
acc[uid] = token_attrs unless token_attrs.empty?
|
|
82
83
|
end
|
|
83
84
|
end
|
|
84
85
|
|
data/lib/jwt_sessions/version.rb
CHANGED
data/lib/jwt_sessions.rb
CHANGED
|
@@ -121,10 +121,12 @@ module JWTSessions
|
|
|
121
121
|
end
|
|
122
122
|
|
|
123
123
|
# should be used for hmac only
|
|
124
|
-
def
|
|
124
|
+
def signing_key=(key)
|
|
125
125
|
@public_key = key
|
|
126
126
|
@private_key = key
|
|
127
127
|
end
|
|
128
|
+
# alias for backward compatibility
|
|
129
|
+
alias encryption_key= signing_key=
|
|
128
130
|
|
|
129
131
|
def access_expiration
|
|
130
132
|
Time.now.to_i + access_exp_time.to_i
|
|
@@ -7,7 +7,7 @@ class TestAccessToken < Minitest::Test
|
|
|
7
7
|
attr_reader :access_token, :uid
|
|
8
8
|
|
|
9
9
|
def setup
|
|
10
|
-
JWTSessions.
|
|
10
|
+
JWTSessions.signing_key = "secret key"
|
|
11
11
|
@payload = { user_id: 1 }
|
|
12
12
|
@csrf = JWTSessions::CSRFToken.new
|
|
13
13
|
@uid = SecureRandom.uuid
|
|
@@ -9,7 +9,7 @@ class TestRefreshToken < Minitest::Test
|
|
|
9
9
|
def setup
|
|
10
10
|
JWTSessions::Session.flush_all
|
|
11
11
|
|
|
12
|
-
JWTSessions.
|
|
12
|
+
JWTSessions.signing_key = "secure key"
|
|
13
13
|
@access_uid = SecureRandom.uuid
|
|
14
14
|
@csrf = JWTSessions::CSRFToken.new
|
|
15
15
|
@token = JWTSessions::RefreshToken.create(@csrf.encoded,
|
|
@@ -9,7 +9,7 @@ class TestSession < Minitest::Test
|
|
|
9
9
|
REFRESH_KEYS = %i[access access_expires_at csrf].freeze
|
|
10
10
|
|
|
11
11
|
def setup
|
|
12
|
-
JWTSessions.
|
|
12
|
+
JWTSessions.signing_key = "security"
|
|
13
13
|
@payload = { test: "secret" }
|
|
14
14
|
@session = JWTSessions::Session.new(payload: payload)
|
|
15
15
|
@tokens = session.login
|
|
@@ -326,6 +326,16 @@ class TestSession < Minitest::Test
|
|
|
326
326
|
assert_equal access_token.expiration.to_s, refresh_token.access_expiration
|
|
327
327
|
end
|
|
328
328
|
|
|
329
|
+
def test_flush_namespaced_access_tokens_after_flush_namespaced
|
|
330
|
+
namespace = "test_namespace"
|
|
331
|
+
session = JWTSessions::Session.new(payload: payload, namespace: namespace)
|
|
332
|
+
session.login
|
|
333
|
+
|
|
334
|
+
assert_equal 1, session.flush_namespaced
|
|
335
|
+
# it should not throw an error
|
|
336
|
+
assert_equal 0, session.flush_namespaced_access_tokens
|
|
337
|
+
end
|
|
338
|
+
|
|
329
339
|
def test_flush_all
|
|
330
340
|
refresh_token = @session.instance_variable_get(:"@_refresh")
|
|
331
341
|
flushed_count = JWTSessions::Session.flush_all
|
|
@@ -19,7 +19,7 @@ class TestToken < Minitest::Test
|
|
|
19
19
|
|
|
20
20
|
def setup
|
|
21
21
|
@payload = { "user_id" => 1, "secret" => "mystery" }
|
|
22
|
-
JWTSessions.
|
|
22
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
def teardown
|
|
@@ -70,7 +70,7 @@ class TestToken < Minitest::Test
|
|
|
70
70
|
end
|
|
71
71
|
|
|
72
72
|
def test_hmac_token_decode
|
|
73
|
-
JWTSessions.
|
|
73
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
74
74
|
token = JWTSessions::Token.encode(payload)
|
|
75
75
|
decoded = JWTSessions::Token.decode(token).first
|
|
76
76
|
assert_equal payload["user_id"], decoded["user_id"]
|
|
@@ -78,7 +78,7 @@ class TestToken < Minitest::Test
|
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
def test_token_sub_claim
|
|
81
|
-
JWTSessions.
|
|
81
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
82
82
|
JWTSessions.jwt_options[:verify_sub] = true
|
|
83
83
|
token = JWTSessions::Token.encode(payload.merge(sub: "subject"))
|
|
84
84
|
decoded = JWTSessions::Token.decode(token, { sub: "subject" }).first
|
|
@@ -90,7 +90,7 @@ class TestToken < Minitest::Test
|
|
|
90
90
|
end
|
|
91
91
|
|
|
92
92
|
def test_token_iss_claim
|
|
93
|
-
JWTSessions.
|
|
93
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
94
94
|
JWTSessions.jwt_options[:verify_iss] = true
|
|
95
95
|
token = JWTSessions::Token.encode(payload.merge(iss: "Me"))
|
|
96
96
|
decoded = JWTSessions::Token.decode(token, { iss: "Me" }).first
|
|
@@ -102,7 +102,7 @@ class TestToken < Minitest::Test
|
|
|
102
102
|
end
|
|
103
103
|
|
|
104
104
|
def test_token_aud_claim
|
|
105
|
-
JWTSessions.
|
|
105
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
106
106
|
JWTSessions.jwt_options[:verify_aud] = true
|
|
107
107
|
token = JWTSessions::Token.encode(payload.merge(aud: ["young", "old"]))
|
|
108
108
|
decoded = JWTSessions::Token.decode(token, { aud: ["young"] }).first
|
|
@@ -114,7 +114,7 @@ class TestToken < Minitest::Test
|
|
|
114
114
|
end
|
|
115
115
|
|
|
116
116
|
def test_token_leeway_decode
|
|
117
|
-
JWTSessions.
|
|
117
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
118
118
|
JWTSessions.jwt_options[:leeway] = 50
|
|
119
119
|
token = JWTSessions::Token.encode(payload.merge("exp" => Time.now.to_i - 20))
|
|
120
120
|
decoded = JWTSessions::Token.decode(token).first
|
|
@@ -18,7 +18,7 @@ class TestJWTSessions < Minitest::Test
|
|
|
18
18
|
assert_equal JWTSessions::DEFAULT_CSRF_HEADER, JWTSessions.csrf_header
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
def
|
|
21
|
+
def test_signing_key
|
|
22
22
|
JWTSessions.encryption_key = nil
|
|
23
23
|
assert_raises JWTSessions::Errors::Malconfigured do
|
|
24
24
|
JWTSessions.private_key
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_sessions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
7
|
+
- Julija Alieckaja
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-05-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
127
127
|
- !ruby/object:Gem::Version
|
|
128
128
|
version: '0'
|
|
129
129
|
requirements: []
|
|
130
|
-
rubygems_version: 3.
|
|
130
|
+
rubygems_version: 3.4.12
|
|
131
131
|
signing_key:
|
|
132
132
|
specification_version: 4
|
|
133
133
|
summary: JWT Sessions
|